subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Kadel-Garcia <nka...@gmail.com>
Subject Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers
Date Sat, 12 Apr 2014 10:53:28 GMT
On Fri, Apr 11, 2014 at 10:26 PM, Nico Kadel-Garcia <nkadel@gmail.com> wrote:
> On Fri, Apr 11, 2014 at 7:10 PM, Ben Reser <ben@reser.org> wrote:
>> On 4/11/14, 12:52 PM, Nico Kadel-Garcia wrote:
>>> Do you have a pointer to that? It's a reasonable claim, I'd just not
>>> seen anything for verifying it or testing against HTTP sites that have
>>> HTTPS enabled, perhaps even with HTTPS only  accessible behind a
>>> closed firewall for administrative user
>>
>> Apache HTTP Server can respond to multiple ports, some of which may be SSL
>> enabled and some of which that many not.  The same processes are used for
>> either.  As such even if you only have your Subversion repository running over
>> HTTP, if you have SSL enabled for some other purpose, your Subversion related
>> data in memory might be exposed.

Sorry for the blank reply. The SSL based services, when managed by
Apache, are normally handled by a different "VirtualHost" setting, but
yes, you're right.. The same daemon and child processes have the SSL
module loaded.

Mime
View raw message